Fixes:
CVE-2015-0219 - incorrectly handled underscores in WSGI headers. A
remote attacker could possibly use this issue to spoof headers in
certain environments.
CVE-2015-0220 - incorrectly handled user-supplied redirect URLs. A
remote attacker could possibly use this issue to perform a cross-site
scripting attack.
CVE-2015-0221 - incorrectly handled reading files in
django.views.static.serve(). A remote attacker could possibly use this
issue to cause Django to consume resources, resulting in a denial of
service.
CVE-2015-0222 - incorrectly handled forms with ModelMultipleChoiceField.
A remote attacker could possibly use this issue to cause a large number
of SQL queries, resulting in a database denial of service.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
It has a hardcoded -ldl link invocation, so drop it. Fixes:
http://autobuild.buildroot.net/results/66ba5f76694d0738b113463579ce6b2fa49a89d6/
Also add hash file and rename uclinux patch to new naming convention.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Patches located at ftp or http(s) URLs were downloaded using DOWNLOAD
macro. For example, if linux source was located at external git
repository, DOWNLOAD macro uses git scheme as well and buildroot
tried to downlod a path using DOWNLOAD_GIT macro. As a result, nothing
was downloaded and build siletly passes.
Patches located at mentioned URLs is now downloaded directly with
DOWNLOAD_WGET macro.
Signed-off-by: Ivo Slanina <ivo.slanina@gmail.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Patches located at https:// scheme URL were threated as directories,
causing build failures.
Fixed by adding https:// pattern.
Signed-off-by: Ivo Slanina <ivo.slanina@gmail.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
It is only the get-edid tool that is x86 specific, parse-edid builds and
works fine on other architectures so make it available everywhere.
Also drop the custom install step as 'make install' does the right thing.
This does cause us to install into /usr/sbin instead of /sbin, but as that
is what upstream wants we can consider that a bugfix.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We don't use the 1.17.x series because it has issues when
cross-compiling.
[Thomas:
- change license to GPLv2+, and the license file to COPYING. While
start-stop-daemon.c itself is under the Public Domain, the compat
library against which it is linked is GPLv2+.]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Karoly Kasza <kaszak@gmail.com>
Reviewed-by: Karoly Kasza <kaszak@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Make the S40network script create the /run/network directory for the
debian variant of ifupdown which uses it as a lock directory.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Karoly Kasza <kaszak@gmail.com>
Reviewed-by: Karoly Kasza <kaszak@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The unit file is taken from debian, but tested working.
We'll call it named.service to match the sysV initscript.
Signed-off-by: Nathaniel Roach <nroach44@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Compilation fails with this defconfig, provided by Thomas
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-arm-full-2014.11.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_HEADERS_3_17=y
BR2_TOOLCHAIN_EXTERNAL_LARGEFILE=y
BR2_TOOLCHAIN_EXTERNAL_INET_IPV6=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
BR2_TOOLCHAIN_EXTERNAL_INET_RPC=y
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
BR2_PACKAGE_GLMARK2=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_RPI_USERLAND=y
because rpi-userland is used a provider for libegl/gles.
Fix this by depending on the corresponding mesa3d suboptions.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add support for building nodejs with hard floating ABI if supported by the
target and remove bogus comment. Buildroot does propose this tuning.
Basically, you have three cases of floating point strategies:
* soft float, i.e 'soft' in nodejs speak. This is enabled in Buildroot
when BR2_ARM_EABI=y and BR2_SOFT_FLOAT=y.
* hard float using integer registers to pass floating point arguments,
i.e 'softfp' in nodejs speak. This is enabled in Buildroot when
BR2_ARM_EABI=y and BR2_SOFT_FLOAT is disabled.
* hard float using floating pointer registers to pass floating point
arguments, i.e 'hard' in nodejs speak. This is enabled in Buildroot
when BR2_ARM_EABIHF=y.
This patch fixes "[Buildroot] Float error on SAMA5D3 Xplained using nodejs":
http://lists.busybox.net/pipermail/buildroot/2014-December/114254.html
Tested at run-time by me on a TI Beaglebone Black.
[Thomas: add qstrip call when using the BR2_GCC_TARGET_FLOAT_ABI
variable.]
Signed-off-by: Jörg Krause <jkrause@posteo.de>
Reported-by: Cédric Heyman <c.heyman@til-technologies.fr>
Suggested-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Squid bundles a copy of libltdl (from libtool) which autoreconfigures on
its own.
For some odd reason when automake was bumped to version 1.15 and if the host
system has another automake version, for example 1.14, the ACLOCAL and
AUTOMAKE variables don't expand properly when the internal autoreconf is
triggered hence calling the missing handler which in turn tries to use
an incorrect automake version.
The solution is to pass unexpanded ACLOCAL and AUTOMAKE variables that
defer the evaluation to a later moment and avoid the issue.
Fixes:
http://autobuild.buildroot.net/results/73f/73fcffafbea320f8c64378bbe8a96922b5e7c6b5/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Enable the required conntrack/netfilter options, otherwise
xtables-addons will fail to build.
The basic iptables options are already covered by the iptables package
which is a required dependency anyway.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Enable the basic kernel options for iptables to be useful at least to
filter incoming connections.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The geoip "helpers" are basically scripts that download and reformat
the geoip database in a form usable by xt_geoip.
The netfilter (kernel & userland) sides of it are built and installed.
Since there are many considerations to geoip databases (free,
commercial and variants for each) it's left to the user to deal with
that if they plan to use the extension which is only one among many.
[Thomas:
- Take into account the rename of BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS
- Remove "depends on BR2_LINUX_KERNEL" as suggested by Arnout.
- Move XTABLES_ADDONS_CONF_OPTS a bit further down, with newlines
around it, and adjust the indentation of the first line. Just to
make it slightly more readable.]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Currently in Buildroot we have a BR2_PACKAGE_QT_ARCH_SUPPORTS_WEBKIT
variable indicating which architectures support Qt Webkit. We also make
Qt Script depending on that variable, so we are assuming that Qt Script
is supported for exactly the same architectures which support Qt Webkit,
and that's not true.
For instance, Qt Webkit is not supported for MIPS64 when
using the n32 ABI, but Qt Script is actually supported. So, if we make
BR2_PACKAGE_QT_ARCH_SUPPORTS_WEBKIT depending on !BR2_MIPS_NABI32 we
will also disable Qt Script, because as I said before, Qt Script depends
on BR2_PACKAGE_QT_ARCH_SUPPORTS_WEBKIT, and we don't want that because
Qt Script works.
We fix this by creating another variable called
BR2_PACKAGE_QT_ARCH_SUPPORTS_SCRIPT to state which architectures support
Qt Script, so now we can differentiate them from the ones supporting Qt
Webkit.
Related:
http://lists.busybox.net/pipermail/buildroot/2014-November/112605.html
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Currently, all the installation work of the toolchain-external package
is done during the install-staging step. However, in order to be able
to properly collect the size added by each package to the target
filesystem, we need to make sure that toolchain-external installs its
files to $(TARGET_DIR) during the install-target step.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Jérôme Pouiller <jezz@sysmic.org>
The build of host-lzma is broken since commit 97703978ac
("support/libtool: make -static behave like -all-static").
Lzma forces '-static' in its LDFLAGS, which contradicts what buildroot tries to
achieve by patching libtool scripts and configuring host packages with
'--disable-static'.
We add a patch to remove lzma's hardcoded LDFLAGS, to fix the build.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This lets you (by default enabled) compile out its readline
dependency.
[Thomas:
- remove the patch, which is now unneeded, since we've bumped to
nftables 0.4, which as the patch to make readline optional.
- remove the new Config.in option, just enable the interactive
console when the readline package is enabled.]
Signed-off-by: Alexander Clouter <alex+buildroot@digriz.org.uk>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We used to specify explicitly serial port with all its settings
for init to instantiate getty.
This limits usecases when the same one rootfs could be used.
For example following cases won't work well with hardcoded
serial console settings:
* On the same board other serial port is expected to be used
* The same rootfs is intended to be used on different boards with
different serial ports (like ttySx vs ttyAMAx or even ttyx)
With this change by default we rely on "console" specified in
kernel's boot command line.
What is important getty will be set on the last console
specified in bootargs.
For example is a kernel comand line:
--->---
bootargs="... console=tty0 console=ttyS3,115200n8..."
--->---
This now will instantiate serial console on ttyS3 but not on tty0.
Tested with both Busybox and SysV init.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This flag seems to be obsolete. There is no piece of code in the U-Boot source
tree referencing CONFIG_NOSOFTFLOAT.
Unfortunatly the use of this flag is not documented here. Maybe it's about this
old workaround:
http://lists.denx.de/pipermail/u-boot/2007-March/020282.html
However, this patch has been declined:
http://www.denx.de/wiki/view/U-Boot/PatchStatus?rev=1.27
Since no other configure options are used, remove also UBOOT_CONFIGURE_OPTS.
Signed-off-by: Jörg Krause <jkrause@posteo.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Like was done for the 'python' package, also make the ossaudiodev
module optional for 'python3'. ossaudiodev is always disabled for
host-python3, and a new option is added to enable it for the target
python3.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now that we have a configure option in Python to enable/disable the
ossaudiodev module, this commit adds a configuration option to the
target Python to explicitly enable/disable this module.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This module is not needed to build the target Python, and can cause
some build issues on certain systems (when <linux/soundcard.h> does
not contain the OSS related definitions).
Signed-off-by: Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This module causes some build failures in certain setups and is not
very useful.
Signed-off-by: Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This is an example of a Device-Tree-enabled Raspberry Pi defconfig.
We have to use a 3.18-based kernel for that, but there are a few
limitations:
- we can not use the minimalist RPi defconfig bundled with the kernel,
namely bcmrpi_quick_defconfig, because it is not DT-enabled, and
sets CONFIG_ARM_PATCH_PHYS_VIRT to 'n', which prompts a value for
CONFIG_PHYS_OFFSET, as it as no default for the bcm familly;
- most importantly, the rpi-3.18.y branch is constantly rebased, so
there is no guarantee that the sha1 I use today will still be usable
in the long term. Using the name of hte branch is not better either.
So, we bundle our own DT-enabled linux defconfig that is based on
bcmrpi_quick_defconfig, with just CONFIG_ARM_PATCH_PHYS_VIRT set and the
Device TRee enabled.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas:
- Rename the VNSTAT_INSTALL_VNSTATI to VNSTAT_INSTALL_VNSTATI_CMDS,
and use 'define ... endef'.
- Use full paths for the destinations when using $(INSTALL)]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested with RaspberryPi B+ and PiTFT Mini Kit - 320x240 2.8" TFT
(see [1] and [2]) and the following target configuration changes:
- cmdline.txt: add 'fbcon=map:10 fbcon=font:VGA8x8'
- add /etc/modules-load.d/fbtft.conf with 'fbtft_device'
- add /etc/modprobe.d/00-fbtft.conf with 'options fbtft_device name=adafruit28 rotate=90 gpios=dc:25'
[1] http://h65951.serverkompetenz.net/PeterSeiderer/upload/PiTFT_2_8_ct/Image9893.jpg
[2] http://h65951.serverkompetenz.net/PeterSeiderer/upload/PiTFT_2_8_ct/Image9897.jpg
[Thomas:
- Rename prompt of the Linux extension to "FB TFT drivers"
- Remove the full name of the kernel config options in the help
text. Giving their CONFIG_<foo> name is enough.
- Remove the mention of CONFIG_SPI_BCM2708, since this makes the
description RaspberryPi specific, while these drivers can work
with any SPI controller.
- Refactor the code in linux-ext-fbtft.mk to avoid duplication
between the < 3.15 and >= 3.15 cases.
- Make the fbtft package a promptless package, since there is no
point in selecting only this package, without the kernel
extension.
- Change the license to GPLv2, since it's kernel code.]
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
